Beruflich Dokumente
Kultur Dokumente
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Background Information
Configure
Network Diagram
Configurations
VPN Client 4.8 Configuration
Verify
Troubleshoot
Troubleshooting Commands
Sample debug Output
Related Information
Introduction
This sample configuration shows how to set up multiple VPN Group Clients to use different VLANs after the
IPsec tunnel is established with the PIX 500 Series Security Appliance.
Prerequisites
Requirements
Ensure that you meet this requirement before you attempt this configuration:
The PIX 500 Series Security Appliance 7.x and VPN Client 4.x are reachable from the Internet.
Components Used
The information in this document is based on these software and hardware versions:
PIX 515E Series Security Appliance Software Release 7.1(1)
Cisco VPN Client version 4.8 for Windows
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Related Products
You can also use this configuration with the Cisco ASA 5500 Series Adaptive Security Appliance.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
In this configuration example, there are two VPN Clients (user1 and user2) and there are two different
VLANs named vlan2 and vlan3. Once the IPsec tunnel is established, user1 should be able to connect only to
vlan2 and user2 should be able to connect only to vlan3.
Vlan2 is created under the subinterface (Ethernet 1.1) and vlan3 is created under the subinterface (Ethernet
1.2) of the Ethernet 1 interface of the PIX Security Appliance. You must enable the physical interface before
any traffic can pass through an enabled subinterface.
In general, if the IPsec tunnel is established from the Cisco VPN Client to the PIX Firewall, all the traffic is
sent through the tunnel to the PIX Firewall. This can become very costly in terms of resource usage if many
clients are connected at once. In order to avoid such heavy resource usage, you can use split tunneling. Split
tunneling encrypts only the interesting traffic and the rest of the traffic goes to the Internet and does not get
encrypted into the tunnel.
Note: If you would like to tunnel all traffic before you send it out to the Internet, refer to PIX/ASA 7.x and
VPN Client for Public Internet VPN on a Stick Configuration Example for more information.
Configure
In this section, you are presented with the information to configure the multiple remote access VPN
connections with the different VLANs in the PIX Security Appliance.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands
used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
PIX 515E Security Appliance Configuration
Cisco VPN Client 4.8 for Windows Configuration
PIX 515E Security Appliance Configuration
PIX Version 7.1(1)
!
hostname pix
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
nameif outside
securitylevel 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet1
no nameif
no securitylevel
no ip address
! Output is suppressed.
!
passwd 9jNfZuG3TC5tCVH0 encrypted
ftp mode passive
! This access list is used for a nat zero command that prevents
! traffic from undergoing network address translation (NAT).
!
!
!
!
! NAT 0 prevents NAT for the networks specified in the access list.
! The nat 1 command specifies port address translation (PAT)
! using the outside interface IP address for all other traffic.
! The split tunnel policy tunnels all traffic from or to the specified networks.
splittunnelpolicy tunnelspecified
!
!
!
!
!
!
!
!
!
PHASE 2 CONFIGURATION !
The encryption types for Phase 2 are defined here.
A single DES encryption with
the md5 hash algorithm is used.
!
!
!
!
!
PHASE 1 CONFIGURATION !
This configuration uses ISAKMP policy 10.
Policy 65535 is included in the configuration by default.
The configuration commands here define the Phase
1 policy parameters that are used.
isakmp
isakmp
isakmp
isakmp
isakmp
enable
policy
policy
policy
policy
outside
10 authentication preshare
10 encryption des
10 hash sha
10 group 2
! Configures an address pool for the tunnel group and enters the generalattributes mode.
! Associates the user1 pool to the tunnel group (vpn1) that uses the address pool.
defaultgrouppolicy vpn1
!
!
!
!
inspect
inspect
inspect
inspect
inspect
inspect
esmtp
sqlnet
sunrpc
tftp
sip
xdmcp
!
servicepolicy global_policy global
Cryptochecksum:0becb57df25d69a098b25bf07994b6b6
: end
pix#
3. Enter the name of the Connection Entry along with a description. Enter the outside IP address of the
PIX Firewall in the Host box. Then enter the Tunnel Group name (in this case, vpn2) and the
preshared key and click Save.
4. Click on the connection you would like to use and click Connect from the VPN Client main window.
5. When prompted, enter the Username and Password information configured in the PIX and click OK
to connect to the remote network.
6. The Cisco VPN Client gets connected with the PIX at the central site.
7. Select Status > Statistics to check the tunnel statistics of the Cisco VPN Client.
8. Select Status > Statistics and click Route Details to check the route details of the Cisco VPN Client.
The access list gets downloaded from the PIX to form the secured network connection for the network
specified in the access list. The rest of the traffic directly enters into the Internet without encrypting
into the tunnel.
Verify
This section provides information you can use to confirm your configuration is working properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
show crypto isakmp saDisplays all current IKE Security Associations (SAs) at a peer.
show crypto ipsec saDisplays the settings used by current SAs.
pix#show crypto ipsec sa
interface: outside
Crypto map tag: dynmap, seq num: 10, local addr: 172.16.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.2.10/255.255.255.255/0/0)
current_peer: 10.0.0.2, username: vpn2
dynamic allocated peer ip: 10.0.2.10
#pkts
#pkts
#pkts
#pkts
#send
Troubleshoot
This section provides information you can use to troubleshoot your configuration. Sample debug output is
also shown.
Troubleshooting Commands
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
Note: Refer to Important Information on Debug Commands and IP Security Troubleshooting Understanding
and Using debug Commands before you use debug commands.
debug crypto ipsecDisplays the IPsec negotiations of Phase 2.
debug crypto isakmpDisplays the ISAKMP negotiations of Phase 1.
Clear SAs
When a change is made to the tunnel configuration, be sure to clear the SAs. Use these commands in the
privileged mode of the PIX:
clear [crypto] ipsec saDeletes the active IPsec SAs. The keyword 'crypto' is optional.
clear [crypto] isakmp saDeletes the active IKE SAs. The keyword 'crypto' is optional.
! User (vpn2) attributes from the tunnel group (vpn2) are downloaded
! to the VPN Client.
= 10.0.0.2, IKE
= 10.0.0.2, IKE
= 10.0.0.2, IKE
= 10.0.0.2, IKE
= 10.0.0.2, IKE
= 10.0.0.2, IKE
! Split tunnel policy attributes are downloaded to the VPN Client (user2).
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
GetUserAttributes: Split Tunneling Policy = Split Network
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, User (vpn
2) authenticated.
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=2b0b30
6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=2b0b3
06) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cess_attr(): Enter!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pro
cessing cfg ACK attributes
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=b983e
913) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 194
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cess_attr(): Enter!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pro
cessing cfg Request attributes
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for IPV4 address!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for IPV4 net mask!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for DNS server address!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for WINS server address!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
unsupported transaction mode attribute: 5
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Banner!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Save PW setting!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Default Domain Name!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Split Tunnel List!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Split DNS!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for PFS setting!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
unknown transaction mode attribute: 28683
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for backup ipsec peer list!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for Application Version!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Client Ty
pe: WinNT Client Application Version: 4.8.01.0300
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for FWTYPE!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for DHCP hostname for DDNS is: tsweblaptop!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, MOD
E_CFG: Received request for UDP Port!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, PHASE 1 COMPLETED
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, Keepalive type for this connection: DPD
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Sta
rting phase 1 rekey timer: 82080000 (ms)
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, sen
ding notify message
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=1a3238
c3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=a8bc0
892) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NO
NE (0) total length : 1026
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing SA payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing nonce payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing ID payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
remote Proxy Host data in ID Payload: Address 10.0.2.10, Protocol 0, Port 0
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing ID payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Received
local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Proto
col 0, Port 0
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, QM IsReke
yed old sa not found by addr
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE Remot
e Peer configured for crypto map: dynmap
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing IPSec SA payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IPS
ec SA Proposal # 14, Transform # 1 acceptable Matches global IPSec SA entry # 10
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE: requ
esting SPI!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
got SPI from key engine: SPI = 0xb9b5c50a
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, oak
ley constucting quick mode
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing blank hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing IPSec SA payload
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Overridin
g Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing IPSec nonce payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing proxy ID
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Tra
nsmitting Proxy Id:
Remote host: 10.0.2.10 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Sen
ding RESPONDER LIFETIME notification to Initiator
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, con
structing qm hash payload
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=a8bc08
92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOT
IFY (11) + NONE (0) total length : 180
May 31 02:39:59 [IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=a8bc0
892) with payloads : HDR + HASH (8) + NONE (0) total length : 52
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, pro
cessing hash payload
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, loa
ding all IPSEC SAs
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Gen
erating Quick Mode Key!
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Gen
erating Quick Mode Key!
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Security
negotiation complete for User (vpn2) Responder, Inbound SPI = 0xb9b5c50a, Outbo
und SPI = 0x691a0f90
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, IKE
got a KEY_ADD msg for SA: SPI = 0x691a0f90
May 31 02:39:59 [IKEv1 DEBUG]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Pit
cher: received KEY_UPDATE, spi 0xb9b5c50a
May 31 02:39:59 [IKEv1]: Group = vpn2, Username = vpn2, IP = 10.0.0.2, Starting
P2 Rekey timer to expire in 27360 seconds
! Adds a static route for the client IP address in the PIX and
! the Phase 2 completed notification.
Select Log > Log Windows to view the log entries in the Cisco VPN Client. The split tunnel access lists are
downloaded from the PIX for the vpn2 tunnel group user.
Related Information
Cisco PIX 500 Series Security Appliances
Documentation for Cisco PIX Security Appliance OS Software
Cisco Secure PIX Firewall Command References
IPSec Negotiation/IKE Protocols Support Page
Cisco VPN Client Support Page
Requests for Comments (RFCs)
Technical Support & Documentation Cisco Systems